@nat marinheiro , if you mean 'manually' upload something to the be used by the playbook (or for any other reason) and to be associated with an alert (or case) you can upload 'evidence' to the case wall and then use a powerup action to retrieve it from the case wall

@Marek Kreul , slightly different usecase than what I had in mind, but I might be wrong.

To answer your question, I thought of using the "Get Attachment", which would return a base64 string of the file from the case wall.
I thought the problem was interacting 'manually' with the server and thats why I've suggested the add evidence (api).
If you want to use it to upload IOCs and send them to sandbox (or any other action that today uses a file path) then unfortunately you need an intermediate action to write it down to disk.

Alternatively, if we go by the customization route, you can customize the action that uploads files to the sandbox to either get them from the casewall (with the same API endpoint that the "Get Attachment" uses) or accept a base64 string and send it that way

Since I know we are working to address the issue of dealing with files in general I think the easiest way (looking to the future) would be not to change the actions that upload files to the sandbox, but rather use an intermediate action to deal with it right now, and in the future you should be able to remove that action (though it depends on the solution we will implement to deal with files).
So, the flow I suggest would be:
Hopefully, step 2 could be removed in the future and you should be able to transfer the base64 from step 1 directly to step 3 (or any other solution). Regardless, if possible I suggest you put this logic into a block, so it is easier and faster to change that in the future

Let me ask around and let you know what I found out